Distribution of software products is a very time consuming activity, especially in a data processing system including a high number of computers (or endpoints). A typical example is that of a large network with hundreds of endpoints, wherein software products are continually installed, upgraded or removed (for example, to be abreast of the information technology development or to adapt to organizational changes). For this purpose, software distribution applications are commonly used to automate the distribution of the software products from a central site of the system. Typically, a software distribution application controls the building of software packages, each one adapted to enforce the desired condition of a corresponding software product (for example, installed, upgraded or removed). The software package is then distributed to selected endpoints, and it is applied on each one of them so as to install, upgrade or remove the software product. An example of commercial software distribution application available on the market is the “IBM Tivoli Configuration Manager or ITCM” by IBM Corporation.
Security issues have also become very important in the last years. In this respect, the current focus has drifted from a server side to a client side (being the target of many recent attacks by harmful codes or malicious intruders). For this purpose, security applications (such as firewalls) are commonly used to control any communications of the endpoints. Particularly, a firewall may be installed on each endpoint (to control communications with other computers); moreover, a firewall may be installed on a router of a private network (to control communications of each endpoint of the private network with other computers outside it). In both cases, the firewall can protect the endpoints (either individually or as a whole in the private network) from attacks coming from computers that are not trusted.
Therefore, whenever a software product (being distributed to a specific endpoint) requires communicating with other computers, the corresponding firewall must be properly configured before the software product can be used.
For this purpose, one approach that has been proposed is of having an end-user of each endpoint configure his/her firewall manually. However, the end-users generally do not have the skills required to perform this task. Moreover, the end-users may choose different firewall configurations for their endpoints; this may cause conflicts with global security policies (for example, at an enterprise level). In any case, the same operations must be repeated on each endpoint (or router); the time spent for each firewall, multiplied by the number of firewalls of the system, may make the process untenable in very large systems.
Another approach that has been proposed is of having the firewall alert the end-user whenever communications being not authorized are attempted. In this case, the end-user is prompted to decide whether the communications can be allowed or denied (either temporarily or permanently). However, this solution suffers the same drawbacks pointed out above. Indeed, the end-users generally do not understand the meaning of the alerts provided by the firewalls; moreover, the end-users may allow different communications on their endpoints (even in conflict with global security policies). In any case, the process is time consuming (with the alerts that are often annoying for the end-users).
Some solutions have also been proposed for automating the configuration of the firewalls (for example, by means of scripts). However, these solutions are completely stand-alone, without any connection with the above-described software distribution process. In any case, manual operations are always required to define the desired firewall configurations and to prepare the corresponding scripts for their application.
Vice-versa, document US-A-2005/262501 (the entire disclosure of which is herein incorporated by reference to the maximum extend allowed by law) discloses a software distribution application, wherein the software packages may also be used to configure the software products. However, the configuration only relates to the same software products that are distributed with the software packages (or that were distributed previously).